OpenEMR versions prior to 8.0.0.1 fail to properly enforce access controls on the Claim File Tracker AJAX endpoint, allowing authenticated users without billing permissions to retrieve sensitive claim metadata including claim IDs, payer information, and transmission logs. An authenticated attacker with minimal privileges can access confidential billing information that should be restricted to authorized billing staff. No patch is currently available for affected installations.
Authenticated WordPress users with Subscriber-level privileges can create editorial notes on any post via the REST API in versions 6.9-6.9.1, bypassing permission checks that should restrict note creation to authorized editors. This allows attackers to annotate private posts, posts by other authors, and unpublished content without proper authorization. No patch is currently available for this Medium severity vulnerability.
Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 4.3).
The Modular DS WordPress plugin through version 2.5.1 lacks CSRF protections on its OAuth disconnection function, allowing unauthenticated attackers to sever the plugin's SSO connection by tricking administrators into clicking a malicious link. This vulnerability affects all website administrators using the plugin and could disrupt authentication mechanisms if exploited. No patch is currently available.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 versions up to 18.7.6 is affected by incorrect authorization (CVSS 4.3).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 versions up to 18.7.6 contains a security vulnerability (CVSS 4.3).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 versions up to 18.7.6 is affected by missing authorization (CVSS 4.3).
Insufficient policy enforcement in Extensions in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Keycloak's Account REST API improperly validates session assurance levels, enabling authenticated attackers with a victim's password to remove MFA/OTP credentials without re-authentication and subsequently register their own authenticator. This allows complete account takeover by bypassing the intended multi-factor authentication protections. The vulnerability affects users relying on MFA as a security control and currently has no available patch.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 versions up to 18.7.6 is affected by use of incorrectly-resolved name or reference (CVSS 4.1).